How to extract iPhone data: iOS Agent.

June 15, 2022

Learn how iOS Agent, a tool specific to Oxygen Forensic® Detective, can extract data from supported iOS devices.

Get a Free Trial

What is iOS Agent?

iOS Agent, an extraction method found in Oxygen Forensic® Detective’s Device Extractor tool, is an app created for iOS devices that is installed directly to the device as a regular unprivileged user app.

The iOS Agent method allows extraction of full file systems and keychains. iOS Agent’s compatibility with new devices and iOS versions is a  primary methods for complete evidence extraction from a wide range of iOS devices.

The following devices are supported by the iOS Agent method:

  • iPhone 14 – iPhone 14 Pro with iOS 16.0- 16.5
  • iPhone 13 – iPhone 13 Pro with iOS 15.0- 16.5
  • iPhone 8 – iPhone 12 with iOS 14.0- 16.5
  • iPhone 6S – iPhone 7 with iOS 14.0- 15.7.3
  • iPad (chipset M2) with iOS 16.1- 16.5
  • iPad (chipsets A13, A15) with iOS 16.1- 16.5, 15.0-15.7.2
  • iPad (chipsets A9-A12, A14, M1) with iOS 16.1- 16.5, 14.0-15.7.2
  • iPad (chipset A8) with iOS 14.0-15.7.3

View all supported devices extraction methods →

How to Extract iPhone Data with iOS Agent

Before initiating the data extraction process, note that an Apple account is required for signing into the installed application.

To install the agent app, you must authenticate an Apple ID account and obtain a certificate for signing the app in Oxygen Forensic® Device Extractor.

Screenshot of Device Extractor tool opened in Oxygen Forensic® Detective with Method on the left hand side highlighted with iOS Agent as the methodology.

Extraction Module Modes

There are two extraction modes – low level acquisition and public data acquisition.

  • Low level acquisition: extract full file system and keychain from supported Apple iOS devices.
  • Public data extraction: only publicly available data will be acquired. It will contain a limited evidence set:
  • device information
  • contact data
  • calendar and events
  • photos and media files

Public data extraction is recommended when low-level extraction is not possible on a device.

When the device is connected via USB and one of the two extraction modes is chosen, you must  sign in with a valid prearranged Apple account.

Screenshot of Device Extractor tool is open in Oxygen Forensic® Detective with the Extraction option highlighted on the lefthand side and asking for apple ID information of the iOS device being extracted from

The iOS Agent application may be signed via:

  • Free signature
  • Developer signature

If the low-level acquisition method is used, the device must be connected to the internet. After the application signed with free signature is installed, the user has to go to Settings → General → Device Management and set the developer as trusted.

If the application is signed with a developer signature, it may stay offline and additional settings are not required.

Please note the following difference:

  • Free certificates are valid for seven (7) days, and there may be a maximum of two (2) certificates on a free account.
  • A certificate from a paid developer account is valid for one (1) year. There may be up to 10 certificates on such accounts.

Screenshot of Device Extractor tool is open in Oxygen Forensic® Detective with the Extraction option highlighted on the lefthand side after login into the apple device preparing it for extraction

As soon as the app is signed, the data extraction may begin. After the extraction process is over, you can open the extracted data in Oxygen Forensic® Detective for further analysis.

Learn more about our analytic tools →

Interested in this capability?

Get a free trial of Oxygen Forensic® Detective

By submitting a form you are agreeing to our Privacy Policy.